Knowledge and Insights

Managing objections to purchase Cyber insurance

01-06-2019

Although companies are aware of cyber risk generally, obstacles to purchase typically relate to uncertainty about the exposures actually faced by their business as well as a misunderstanding of the scope and cost of coverage available. Below are a few suggestions to manage such objections.

We already have these measures in place.

Companies may already purchase or deploy certain cybersecurity strategies, but do they know whether or not these services are truly effective? AIG can help assess the current state of your client’s cybersecurity posture more in depth. There are three key elements for an effective cyber security. These are securing the system, educating people and cyber insurance. All three pillars effectively contribute to a company’s readiness to deal with a cyber incident.

Our IT department is managing risk effectively.

A strong IT department is essential to managing cyber risk; but, given the proliferation of ransomware and daily new varieties of malware, it is impossible to prevent every attack. Insurance serves to complement a client’s IT department; and, if the worst occurs and their system is breached, it provides the peace of mind of knowing they have a team of experts ready to respond.

It is important to note that no insurance product will combine network interruption, liability, event management and fines in a comprehensive way. In this regards a cyber insurance is the only insurance product to thoroughly cover cyber risk and no combination of other products can provide the same security.

We determine coverage needs based on what our peers are doing.

Every company is unique and cyber criminals, employees, and competitors may be interested in your client’s digital assets. AIG has underwritten thousands of cyber policies and has experience across numerous industries. Our underwriting model and corresponding reports can help companies determine their needs through benchmarking and risk reducing controls. Additionally a pro-active approach can help your company steer clear of risks affecting other companies in the industry. We have noticed that nowadays companies are more inclined to oblige contracting parties to take up cyber cover. A company can anticipate on future requirements and convince its clients that it does everything to mitigate risk by underwriting a cyber policy.

Our data and/or industry is not a high-risk target for cyber threats.

No company is safe from cyber threats, and bad actors are actively exploiting the vulnerabilities of companies and industries that do not perceive themselves as high risk. Ask your client: could they withstand a complete shutdown of their network for any period of time? There’s more than data at stake, and AIG’s cyber insurance is there to respond.

62% of businesses that are attacked are small or medium in size. A simple example would be the Bio farmer that suffered a ransomware attack and couldn’t use its equipment for four days.

The financial cost of an incident would not be significant.

The average cost of a breach is currently estimated at more than $3.6 million. You may want to look at a breach calculator. This will show you that the financial costs will include management of the event, network interruption, liability, and possibly even legal costs and fines. Knowing that a managing a cyber event can cost up to $ 50.000 a day, we can conclude that the cost of any cyber incident can accrue rapidly. This does not include the cost of reputation loss which a cyber policy can help mitigate as well.

We don’t need it. We’re not subject to data protection regulation.

It needs to be stated first and foremost that any company can be held liable for the personal information they process. This personal information can belong to third parties but also employees or clients of the company. Here fines and penalties represent only a portion of the costs that may be incurred as a result of a breach. Organizations must also consider reputational harm, data recovery costs, business interruption, and possible third party liability. In addition, the regulatory environment is constantly evolving, with certain industries adopting standards and best practices separate and apart from state and country specific regulation.

Companies are increasingly moving towards outsourced service providers and cloud-based storage. Still, such providers must be properly vetted.

We don’t need it. We outsource our security.

Companies are increasingly moving towards outsourced service providers and cloud-based storage. Still, such providers must be properly vetted. Insureds should read the fine print, as contracts often limit the providers’ liability in the event of a breach.

Our existing insurance policies typically cover some cyber risk.

AIG offers a comprehensive cyber risk management solution. No other form of liability insurance offers such specialized coverage to assist clients in handling all aspects of a cyber incident. While other policies may offer coverage for certain components of cyber risk, the policy may contain certain exclusions or sub-limits impacting or limiting the coverage. Cyber insurance can also be packaged with other policies, such as Property Performance Services, to provide additional placement and coverage options. It is important to note that no product will combine network interruption, liability, event management and fines in a comprehensive way. In this regards a cyber insurance is the only insurance product to thoroughly cover cyber risk and no combination of other products can provide the same security.

Cyber threats are evolving quickly, it is difficult to keep up.

In a rapidly changing landscape, AIG’s cyber solutions provide innovative protection and responsive guidance based on years of experience. With AIG’s help, businesses keep ahead of the curve when it comes to managing cyber risk.

Cyber premiums are modest in comparison to the potential cost of a cyber event, when all components – data recovery, event management, reputational harm, network interruption, and other third party liability – are taken into account.

The cost of cyber insurance is too high.

Cyber premiums are modest in comparison to the potential cost of a cyber event, when all components – data recovery, event management, reputational harm, network interruption and other third party liability – are taken into account. Cyber insurance provides an effective and affordable tool to help manage an incident and mitigate disruption to your client’s business. This assistance element limits the duration and cost of a possible cyber event. The potential cost of a cyber event is considerable as compared to the relative premium of a cyber policy.

I’ve never had a cyber breach so I don’t need this coverage.

The environment is constantly changing, and with the ever increasing reliance on data, companies are more susceptible to security and privacy threats than ever before. Future legislation and increasingly stringent industry standards also suggest that the costs of a breach will continue to climb. Proactively managing the risk is crucial. An AIG survey with CEO’s in the US showed that over 80% of companies have dealt with some sort of cyber event in the past five years. However under 35% believe that is can happen to them (again). This goes to show that the risk is greater than we can generally fathom.

We don’t need it. We aren’t a large corporation and don’t think our data and/or industry is a high risk for cyber threats.